Package: gnutls26 Severity: normal Tags: patch --- Please enter the report below this line. --- It seems too me that the subjectAltName wildcard matching has strong constraints. First, it allows only one wildcard. Since a wildcard can only match a single domain component, multiple wildcards are useful (e.g., *.*.example.org). I did not see in the rfc 2818 such restriction. Second, it only allows the wildcard to be at the beginning of the hostname. Since the rfc 2818 gives “f*.com” as an example, I believe this is a false assert. Third, it only allows the wildcard to be followed by a ‘.’. This is not clearly stated in the rfc, but I believe it is reasonnable to assume that if “f*.com” is allowed, then “f*o.com” should be allowed as well. The attached patch fixes all these issues and add some tests.
--- System information. ---
Architecture: amd64
Kernel: Linux 2.6.18.8-xen
Debian Release: lenny/sid
500 unstable ftp.fr.debian.org
--- Package information. ---
Depends (Version) | Installed
=======================-+-===========
|
--
Jean-Philippe Garcia Ballester
diff -Naur gnutls26-2.2.3~rc/lib/x509/rfc2818_hostname.c gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard/lib/x509/rfc2818_hostname.c
--- gnutls26-2.2.3~rc/lib/x509/rfc2818_hostname.c 2008-04-29 23:51:33.000000000 +0200
+++ gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard/lib/x509/rfc2818_hostname.c 2008-05-03 14:09:12.000000000 +0200
@@ -36,37 +36,36 @@
{
const char *cmpstr1, *cmpstr2;
- if (strlen (certname) == 0 || strlen (hostname) == 0)
- return 0;
+ /* find the first different character */
+ for (; *certname && *hostname && toupper(*certname) == toupper(*hostname); certname++, hostname++)
+ ;
+
+ /* the strings are the same */
+ if (strlen (certname) == 0 && strlen (hostname) == 0)
+ return 1;
- if (strlen (certname) > 2 && strncmp (certname, "*.", 2) == 0)
+ if (*certname == '*')
{
/* a wildcard certificate */
- cmpstr1 = certname + 1;
+ certname++;
- /* find the first dot in hostname, compare from there on */
- cmpstr2 = strchr (hostname, '.');
-
- if (cmpstr2 == NULL)
- {
- /* error, the hostname we're connecting to is only a local part */
- return 0;
- }
-
- if (strcasecmp (cmpstr1, cmpstr2) == 0)
- {
- return 1;
+ while (1)
+ {
+ /* Use a recursive call to allow multiple wildcards */
+ if (_gnutls_hostname_compare (certname, hostname))
+ {
+ return 1;
+ }
+ /* wildcards are only allowed to match a single domain component or component fragment */
+ if (*hostname == '\0' || *hostname == '.')
+ break;
+ hostname++;
}
return 0;
}
- if (strcasecmp (certname, hostname) == 0)
- {
- return 1;
- }
-
return 0;
}
diff -Naur gnutls26-2.2.3~rc/tests/hostname-check/hostname-check.c gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard/tests/hostname-check/hostname-check.c
--- gnutls26-2.2.3~rc/tests/hostname-check/hostname-check.c 2008-02-21 08:58:19.000000000 +0100
+++ gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard/tests/hostname-check/hostname-check.c 2008-05-03 14:00:17.000000000 +0200
@@ -336,6 +336,154 @@
"V4YbqvLUY2LG/bMEZGCcd8NL0eTHdwAXedIrHxSt6TTI2g==\n"
"-----END CERTIFICATE-----\n";
+/* Certificate with multiple wildcards SAN but no CN. */
+char pem6[] =
+ "X.509 Certificate Information:\n"
+ " Version: 3\n"
+ " Serial Number (hex): 00\n"
+ " Validity:\n"
+ " Not Before: Sat May 3 11:00:51 UTC 2008\n"
+ " Not After: Sat May 17 11:00:54 UTC 2008\n"
+ " Subject: O=GnuTLS hostname check test CA\n"
+ " Subject Public Key Algorithm: RSA\n"
+ " Modulus (bits 1024):\n"
+ " d2:05:c1:65:cb:bd:1e:2e:eb:7b:87:07:94:4c:93:33\n"
+ " f3:81:83:7d:32:1b:71:4e:4e:7f:c7:bc:bf:4b:2f:f2\n"
+ " 49:b5:cf:bf:c0:b8:e8:29:cc:f3:61:bd:2e:1d:e4:e8\n"
+ " 19:dd:c5:bd:2e:f0:35:b1:fd:30:d7:f5:a8:7c:83:9a\n"
+ " 13:9e:bf:25:ed:08:a6:05:9e:7b:4e:23:59:c3:0e:5a\n"
+ " f3:bf:54:c7:dc:d4:13:57:a1:0f:a2:9e:c8:ab:75:66\n"
+ " de:07:84:8d:68:ad:71:04:e0:9c:bd:cb:f6:08:7a:97\n"
+ " 42:f8:10:94:29:01:4a:7e:61:d7:04:21:05:4c:f1:07\n"
+ " Exponent:\n"
+ " 01:00:01\n"
+ " Extensions:\n"
+ " Basic Constraints (critical):\n"
+ " Certificate Authority (CA): TRUE\n"
+ " Subject Alternative Name (not critical):\n"
+ " DNSname: *.*.example.org\n"
+ " Key Purpose (not critical):\n"
+ " TLS WWW Server.\n"
+ " Subject Key Identifier (not critical):\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "Other Information:\n"
+ " Public Key Id:\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "\n"
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICIjCCAY2gAwIBAgIBADALBgkqhkiG9w0BAQUwKDEmMCQGA1UEChMdR251VExT\n"
+ "IGhvc3RuYW1lIGNoZWNrIHRlc3QgQ0EwHhcNMDgwNTAzMTEwMDUxWhcNMDgwNTE3\n"
+ "MTEwMDU0WjAoMSYwJAYDVQQKEx1HbnVUTFMgaG9zdG5hbWUgY2hlY2sgdGVzdCBD\n"
+ "QTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA0gXBZcu9Hi7re4cHlEyTM/OBg30y\n"
+ "G3FOTn/HvL9LL/JJtc+/wLjoKczzYb0uHeToGd3FvS7wNbH9MNf1qHyDmhOevyXt\n"
+ "CKYFnntOI1nDDlrzv1TH3NQTV6EPop7Iq3Vm3geEjWitcQTgnL3L9gh6l0L4EJQp\n"
+ "AUp+YdcEIQVM8QcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAaBgNVHREEEzAR\n"
+ "gg8qLiouZXhhbXBsZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYE\n"
+ "FFST5lmbKDtFKTeIGK75pKu/TZkYMAsGCSqGSIb3DQEBBQOBgQAQ9PStleVvfmlK\n"
+ "wRs8RE/oOO+ouC3qLdnumNEITMRFh8Q12/X4yMLD3CH0aQ/hvHcP26PxAWzpNutk\n"
+ "swNx7AzsCu6pN1t1aI3jLgo8e4/zZi57e8QcRuXZPDJxtJxVhJZX/C4pSz802WhS\n"
+ "64NgtpHEMu9JUHFhtRwPcvVGYqPUUA==\n"
+ "-----END CERTIFICATE-----\n";
+
+/* Certificate with prefixed and suffixed wildcard SAN but no CN. */
+char pem7[] =
+ "X.509 Certificate Information:\n"
+ " Version: 3\n"
+ " Serial Number (hex): 00\n"
+ " Validity:\n"
+ " Not Before: Sat May 3 11:02:43 UTC 2008\n"
+ " Not After: Sat May 17 11:02:45 UTC 2008\n"
+ " Subject: O=GnuTLS hostname check test CA\n"
+ " Subject Public Key Algorithm: RSA\n"
+ " Modulus (bits 1024):\n"
+ " d2:05:c1:65:cb:bd:1e:2e:eb:7b:87:07:94:4c:93:33\n"
+ " f3:81:83:7d:32:1b:71:4e:4e:7f:c7:bc:bf:4b:2f:f2\n"
+ " 49:b5:cf:bf:c0:b8:e8:29:cc:f3:61:bd:2e:1d:e4:e8\n"
+ " 19:dd:c5:bd:2e:f0:35:b1:fd:30:d7:f5:a8:7c:83:9a\n"
+ " 13:9e:bf:25:ed:08:a6:05:9e:7b:4e:23:59:c3:0e:5a\n"
+ " f3:bf:54:c7:dc:d4:13:57:a1:0f:a2:9e:c8:ab:75:66\n"
+ " de:07:84:8d:68:ad:71:04:e0:9c:bd:cb:f6:08:7a:97\n"
+ " 42:f8:10:94:29:01:4a:7e:61:d7:04:21:05:4c:f1:07\n"
+ " Exponent:\n"
+ " 01:00:01\n"
+ " Extensions:\n"
+ " Basic Constraints (critical):\n"
+ " Certificate Authority (CA): TRUE\n"
+ " Subject Alternative Name (not critical):\n"
+ " DNSname: foo*bar.example.org\n"
+ " Key Purpose (not critical):\n"
+ " TLS WWW Server.\n"
+ " Subject Key Identifier (not critical):\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "Other Information:\n"
+ " Public Key Id:\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "\n"
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICJjCCAZGgAwIBAgIBADALBgkqhkiG9w0BAQUwKDEmMCQGA1UEChMdR251VExT\n"
+ "IGhvc3RuYW1lIGNoZWNrIHRlc3QgQ0EwHhcNMDgwNTAzMTEwMjQzWhcNMDgwNTE3\n"
+ "MTEwMjQ1WjAoMSYwJAYDVQQKEx1HbnVUTFMgaG9zdG5hbWUgY2hlY2sgdGVzdCBD\n"
+ "QTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA0gXBZcu9Hi7re4cHlEyTM/OBg30y\n"
+ "G3FOTn/HvL9LL/JJtc+/wLjoKczzYb0uHeToGd3FvS7wNbH9MNf1qHyDmhOevyXt\n"
+ "CKYFnntOI1nDDlrzv1TH3NQTV6EPop7Iq3Vm3geEjWitcQTgnL3L9gh6l0L4EJQp\n"
+ "AUp+YdcEIQVM8QcCAwEAAaNnMGUwDwYDVR0TAQH/BAUwAwEB/zAeBgNVHREEFzAV\n"
+ "ghNmb28qYmFyLmV4YW1wbGUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1Ud\n"
+ "DgQWBBRUk+ZZmyg7RSk3iBiu+aSrv02ZGDALBgkqhkiG9w0BAQUDgYEAPPNe38jc\n"
+ "8NsZQVKKLYc1Y4y8LRPhvnxkSnlcGa1RzYZY1s12BZ6OVIfyxD1Z9BcNdqRSq7bQ\n"
+ "kEicsGp5ugGQTNq6aSlzYOUD9/fUP3jDsH7HVb36aCF3waGCQWj+pLqK0LYcW2p/\n"
+ "xnr5+z4YevFBhn7l/fMhg8TzKejxYm7TECg=\n"
+ "-----END CERTIFICATE-----\n";
+
+/* Certificate with ending wildcard SAN but no CN. */
+char pem8[] =
+ "X.509 Certificate Information:\n"
+ " Version: 3\n"
+ " Serial Number (hex): 00\n"
+ " Validity:\n"
+ " Not Before: Sat May 3 11:24:38 UTC 2008\n"
+ " Not After: Sat May 17 11:24:40 UTC 2008\n"
+ " Subject: O=GnuTLS hostname check test CA\n"
+ " Subject Public Key Algorithm: RSA\n"
+ " Modulus (bits 1024):\n"
+ " d2:05:c1:65:cb:bd:1e:2e:eb:7b:87:07:94:4c:93:33\n"
+ " f3:81:83:7d:32:1b:71:4e:4e:7f:c7:bc:bf:4b:2f:f2\n"
+ " 49:b5:cf:bf:c0:b8:e8:29:cc:f3:61:bd:2e:1d:e4:e8\n"
+ " 19:dd:c5:bd:2e:f0:35:b1:fd:30:d7:f5:a8:7c:83:9a\n"
+ " 13:9e:bf:25:ed:08:a6:05:9e:7b:4e:23:59:c3:0e:5a\n"
+ " f3:bf:54:c7:dc:d4:13:57:a1:0f:a2:9e:c8:ab:75:66\n"
+ " de:07:84:8d:68:ad:71:04:e0:9c:bd:cb:f6:08:7a:97\n"
+ " 42:f8:10:94:29:01:4a:7e:61:d7:04:21:05:4c:f1:07\n"
+ " Exponent:\n"
+ " 01:00:01\n"
+ " Extensions:\n"
+ " Basic Constraints (critical):\n"
+ " Certificate Authority (CA): TRUE\n"
+ " Subject Alternative Name (not critical):\n"
+ " DNSname: www.example.*\n"
+ " Key Purpose (not critical):\n"
+ " TLS WWW Server.\n"
+ " Subject Key Identifier (not critical):\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "Other Information:\n"
+ " Public Key Id:\n"
+ " 5493e6599b283b4529378818aef9a4abbf4d9918\n"
+ "\n"
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIICIDCCAYugAwIBAgIBADALBgkqhkiG9w0BAQUwKDEmMCQGA1UEChMdR251VExT\n"
+ "IGhvc3RuYW1lIGNoZWNrIHRlc3QgQ0EwHhcNMDgwNTAzMTEyNDM4WhcNMDgwNTE3\n"
+ "MTEyNDQwWjAoMSYwJAYDVQQKEx1HbnVUTFMgaG9zdG5hbWUgY2hlY2sgdGVzdCBD\n"
+ "QTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA0gXBZcu9Hi7re4cHlEyTM/OBg30y\n"
+ "G3FOTn/HvL9LL/JJtc+/wLjoKczzYb0uHeToGd3FvS7wNbH9MNf1qHyDmhOevyXt\n"
+ "CKYFnntOI1nDDlrzv1TH3NQTV6EPop7Iq3Vm3geEjWitcQTgnL3L9gh6l0L4EJQp\n"
+ "AUp+YdcEIQVM8QcCAwEAAaNhMF8wDwYDVR0TAQH/BAUwAwEB/zAYBgNVHREEETAP\n"
+ "gg13d3cuZXhhbXBsZS4qMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBRU\n"
+ "k+ZZmyg7RSk3iBiu+aSrv02ZGDALBgkqhkiG9w0BAQUDgYEAZ7gLXtXwFW61dSAM\n"
+ "0Qt6IN68WBH7LCzetSF8ofG1WVUImCUU3pqXhXYtPGTrswOh2AavWTRbzVTtrFvf\n"
+ "WJg09Z7H6I70RPvAYGsK9t9qJ/4TPoYTGYQgsTbVpkv13O54O6jzemd8Zws/xMH5\n"
+ "7/q6C7P5OUmGOtfVe7UVDY0taQM=\n"
+ "-----END CERTIFICATE-----\n";
+
+
void
doit (void)
{
@@ -475,6 +623,90 @@
else
success ("Hostname correctly does not match (%d)\n", ret);
+ success ("Testing pem6...\n");
+ data.data = pem6;
+ data.size = strlen (pem6);
+
+ ret = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ fail ("gnutls_x509_crt_import: %d\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "foo.example.org");
+ if (ret)
+ fail ("Hostname incorrectly matches (%d)\n", ret);
+ else
+ success ("Hostname correctly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "bar.foo.example.org");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ success ("Testing pem7...\n");
+ data.data = pem7;
+ data.size = strlen (pem7);
+
+ ret = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ fail ("gnutls_x509_crt_import: %d\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "foo.bar.example.org");
+ if (ret)
+ fail ("Hostname incorrectly matches (%d)\n", ret);
+ else
+ success ("Hostname correctly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "foobar.bar.example.org");
+ if (ret)
+ fail ("Hostname incorrectly matches (%d)\n", ret);
+ else
+ success ("Hostname correctly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "foobar.example.org");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "foobazbar.example.org");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ success ("Testing pem8...\n");
+ data.data = pem8;
+ data.size = strlen (pem8);
+
+ ret = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ fail ("gnutls_x509_crt_import: %d\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "www.example.org");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "www.example.");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "www.example.com");
+ if (ret)
+ success ("Hostname correctly matches (%d)\n", ret);
+ else
+ fail ("Hostname incorrectly does not match (%d)\n", ret);
+
+ ret = gnutls_x509_crt_check_hostname (cert, "www.example.foo.com");
+ if (ret)
+ fail ("Hostname incorrectly matches (%d)\n", ret);
+ else
+ success ("Hostname correctly does not match (%d)\n", ret);
+
gnutls_x509_crt_deinit (cert);
gnutls_global_deinit ();
signature.asc
Description: This is a digitally signed message part.
